Openssh 6.7 disables a number of ciphers

graysky · 2014-10-19 11:56:27

For those using ssh over rsync or just scp to move files around on a LAN, be aware that a number of version 2 ciphers have been disabled in the 6.7p1-1 release of openssh (see release notes) including the following:
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se

That leaves the following available:
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

If you have defined any of these ciphers in ~/.ssh/config you should switch to one of the supported ones. Also make the change in any shell script you might be using. The significance of this particularly for older hardware could be much slower transfer speeds. See this thread for a comparison of all version 2 ciphers moving 500 MB files around. The conclusion from this older experiment was that any of the arcfour ciphers provided the fastest transfers on LANs where security was not a concern.

Using a similar script I shared in the linked thread, I tested these supported ciphers an 1100 MB file this time (with 6 replicates) and found that all are more or less the same within error of the experiment on the Ivy or Haswell hardware tested (with the exception of the chacha20-poly1305 cipher that was a tiny bit slower on each). The older Yorkfield (Xeon version of the Q9550) had a harder time keeping up and slightly preferred the aes256-gcm cipher. YMMV.

None of these were CPU-limited using my hardware (sending machine was a Haswell i7-4790k and receiving machines are as indicated in the headers on the plots.

You can benchmark your own hardware with the script below:
Script: https://gist.github.com/graysky2/0e265604bfd4856a2596

Last edited by graysky (2015-11-22 22:16:24)

Pse · 2014-10-20 02:55:39

Thank you for taking the time to post about this.

Last edited by Pse (2014-10-20 02:55:52)

HiImTye · 2014-10-20 06:30:12

* sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.

you can still enable them if you wish in your system-wide settings

Last edited by HiImTye (2014-10-20 06:30:29)

graysky · 2014-10-23 19:43:39

Pse wrote:

Thank you for taking the time to post about this.

You're welcome; glad someone found it of value.

HiImTye wrote:

you can still enable them if you wish in your system-wide settings

True but unless you combine them with an IP restriction (LAN only) that would be ill-advised since they were disabled for a reason I edited the first post including the arcfour as a comparison.

Last edited by graysky (2014-10-23 20:24:38)

kokoko3k · 2014-10-24 13:57:13

Thanks graysky, your results probably depends on specific cpu accelerated functions.
My mileage varies much on a Core2 Duo E7500.

I tried to make a benchmark without involving too much I/O operations.
This one requires sshpass:

#!/bin/bash

user=<username with access to local ssh server>
password=<his password>
port=22  
MB=200

export LC_ALL=C

ciphers="3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr \
         aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com arcfour \
         arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com"

#ciphers=$(ssh -Q cipher)

for cipher in $ciphers; do
        echo cipher: "$cipher"
        dd if=/dev/zero bs=1M count=$MB conv=sync  | \
        sshpass -p $password ssh -c $cipher -o Compression=no -o Port=$port $user@127.0.0.1 "cat - >/dev/null"
done

And my results:

# nice -n -19 /tmp/ciphers.sh 2>&1|grep 'cipher\|MB'
cipher: 3des-cbc
209715200 bytes (210 MB) copied, 11.0941 s, 18.9 MB/s
cipher: aes128-cbc
209715200 bytes (210 MB) copied, 1.78707 s, 117 MB/s
cipher: aes192-cbc
209715200 bytes (210 MB) copied, 2.14264 s, 97.9 MB/s
cipher: aes256-cbc
209715200 bytes (210 MB) copied, 2.02551 s, 104 MB/s
cipher: aes128-ctr
209715200 bytes (210 MB) copied, 1.70451 s, 123 MB/s
cipher: aes192-ctr
209715200 bytes (210 MB) copied, 1.77964 s, 118 MB/s
cipher: aes256-ctr
209715200 bytes (210 MB) copied, 2.00527 s, 105 MB/s
cipher: aes128-gcm@openssh.com
209715200 bytes (210 MB) copied, 1.99968 s, 105 MB/s
cipher: aes256-gcm@openssh.com
209715200 bytes (210 MB) copied, 2.33376 s, 89.9 MB/s
cipher: arcfour
209715200 bytes (210 MB) copied, 1.51805 s, 138 MB/s
cipher: arcfour128
209715200 bytes (210 MB) copied, 1.43505 s, 146 MB/s
cipher: arcfour256
209715200 bytes (210 MB) copied, 1.41674 s, 148 MB/s
cipher: blowfish-cbc
209715200 bytes (210 MB) copied, 3.21618 s, 65.2 MB/s
cipher: cast128-cbc
209715200 bytes (210 MB) copied, 3.28389 s, 63.9 MB/s
cipher: chacha20-poly1305@openssh.com
209715200 bytes (210 MB) copied, 2.16026 s, 97.1 MB/s

solar · 2015-02-01 02:11:43

Worth noting, that now it is likely a good idea to do make OPENSSL=no in the openssh PKGBUILD as openssl is infested with US subterfuge and NIST "random" seeds, (don't use ECDSA!), but compiling it without lends to niceties like EDDSA and so on ,p

EDIT: Ah, it finished and is not part of the portable options..sigh.

Last edited by solar (2015-02-01 03:27:14)

vak · 2015-07-06 06:56:51

Could someone sum up, please, what is recommended to use instead of disabled arcfour,blowfish-cbc in a usual case?

graysky · 2015-07-06 09:49:10

The answer to your question is clearly stated in the first post.

kozaki · 2015-09-14 22:46:37

Just runned kokoko3k's script on 3 machines, of which two tiny netbooks that are handy when moving away.

Atom Z520 @ 1.33GHz, none of the left ciphers make it to 7MB/s, that's a 75% drop from Arcfour, which tops out at, well an incredible 23MB/sec
Atom N450 @ 1.66GHz, 3 of them pass 10MB/s (max 15), a 50% drop from arcfour;
On an i3-3220 @ 3.30GHz, 4 allow for over 200 MBc, a 20% drop from arcfour.

indeed CPU does make a difference

@Graysky I like your graph! mind to share how do you ouput that?

EDIT: Tested Z520 has older OpenSSH_5.8p2, OpenSSL1.0.0j-Fips, while N450 runs OpenSSH_7.1p1, OpenSSL 1.0.2d. Dunno about the version difference's impact.

Last edited by kozaki (2015-09-15 00:44:44)

graysky · 2015-09-14 23:55:21

@kozaki - Spotfire dxp

kozaki · 2015-09-15 00:41:20

Thanks! Ah, demos are appealing. Now I don't have that kind of server arround atm

graysky · 2015-11-22 22:17:32

I updated the first post responding some the feedback to explore additional hardware. Indeed, the older machine (Yorkfield in my case) gave a different answer. What's probably more important is sharing the script to test your own hardware if you move a ton of data around your LAN or if you're just OCD like me.

Arch Linux

#1 2014-10-19 11:56:27

Openssh 6.7 disables a number of ciphers

#2 2014-10-20 02:55:39

Re: Openssh 6.7 disables a number of ciphers

#3 2014-10-20 06:30:12

Re: Openssh 6.7 disables a number of ciphers

#4 2014-10-23 19:43:39

Re: Openssh 6.7 disables a number of ciphers

#5 2014-10-24 13:57:13

Re: Openssh 6.7 disables a number of ciphers

#6 2015-02-01 02:11:43

Re: Openssh 6.7 disables a number of ciphers

#7 2015-07-06 06:56:51

Re: Openssh 6.7 disables a number of ciphers

#8 2015-07-06 09:49:10

Re: Openssh 6.7 disables a number of ciphers

#9 2015-09-14 22:46:37

Re: Openssh 6.7 disables a number of ciphers

#10 2015-09-14 23:55:21

Re: Openssh 6.7 disables a number of ciphers

#11 2015-09-15 00:41:20

Re: Openssh 6.7 disables a number of ciphers

#12 2015-11-22 22:17:32

Re: Openssh 6.7 disables a number of ciphers

Board footer